github-personal/estserver
1
0
Fork 0
mirror of https://github.com/outbackdingo/estserver.git synced 2026-01-28 10:18:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

Make cert duration configurable with 3 year default

Browse Source 
1 year was too short for what most people want in large fleets

Signed-off-by: Andy Doan <andy@foundries.io>
This commit is contained in:
Andy Doan
2023-12-06 15:50:24 -06:00
parent 3c980ab15c
commit b176faa28e
3 changed files with 10 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
cmd/main.go
View File

@@ -12,6 +12,7 @@ import (
"net"
"net/http"
"os"
"time"
est "github.com/foundriesio/estserver"
"github.com/labstack/echo/v4"
@@ -33,6 +34,7 @@ func main() {
{name: "root-cert", help: "EST CA PEM encoded root certificate"},
}
port := flag.Int("port", 8443, "Port to listen on")
certDuration := flag.Duration("cert-duration", time.Hour*24*365*3, "How long new certs should be valid for. e.g. such as '1.5h' or '2h45m'. 3 years is default")
clientCas := flag.String("client-cas", "", "PEM encoded list of device CA's to allow. The device must present a certificate signed by a CA in this list or the `ca-cert` to authenticate")
for _, opt := range required {
@@ -83,7 +85,7 @@ func main() {
log.Fatal().Err(err).Msg("Unable to create tls cert handler")
}
svcHandler := est.NewStaticServiceHandler(est.NewService(rootCert, caCert, caKey))
svcHandler := est.NewStaticServiceHandler(est.NewService(rootCert, caCert, caKey, *certDuration))
e := echo.New()
s := http.Server{

8
service.go
View File

@@ -96,14 +96,18 @@ type Service struct {
// ca and key are the EST7030 keypair used for signing EST7030 requests
ca *x509.Certificate
key crypto.Signer
certDuration time.Duration
}
// NewService creates an EST7030 API for a Factory
func NewService(rootCa *x509.Certificate, ca *x509.Certificate, key crypto.Signer) Service {
func NewService(rootCa *x509.Certificate, ca *x509.Certificate, key crypto.Signer, certDuration time.Duration) Service {
return Service{
rootCa: rootCa,
ca: ca,
key: key,
certDuration: certDuration,
}
}
@@ -207,7 +211,7 @@ func (s Service) signCsr(ctx context.Context, csr *x509.CertificateRequest) ([]b
}
now := time.Now()
notAfter := now.Add(time.Hour * 24 * 365)
notAfter := now.Add(s.certDuration)
if notAfter.After(s.ca.NotAfter) {
log.Warn().Msg("Adjusting default cert expiry")
notAfter = s.ca.NotAfter

2
service_test.go
View File

@@ -71,7 +71,7 @@ func createService(t *testing.T) Service {
cert, err := x509.ParseCertificate(der)
require.Nil(t, err)
return Service{cert, cert, key}
return Service{cert, cert, key, time.Hour * 24}
}
func TestService_CA(t *testing.T) {